?
Solved

qntc security

Posted on 2011-10-05
22
Medium Priority
?
2,578 Views
Last Modified: 2012-05-12
we have a client that is creating an import file on an AS-400.
if the file stays on the as-400 the processing of the file takes about 2 hours.
if the file is moved to the windows box it takes about 40 minutes.
i have asked them to put the file on the windows box directly,  i am assuming they should/need to use QNTC to accomplish this.
they said this would require changes to their network to accomidate this that would preclude me for getting connected to the windows computers that i need to.

currently the computers i need are in a workgroup inside their firewall.

my question is this,   what kind of authentication/connections are required to implement QNTC to allow the as400 to write to a shared windows folder?

there are also files that i put in this folder that the as400 needs to pick up and process.

if this was implemented, i would not even need to see the as400 from the windows side at all,   all the files would be transferred back and forth in the windows folder.

if someone could point me in the right direction as to how i could proceed that would be great.



(i could run msdos batch programs that pull the files from the as-400 and put them on the windows side, but would rather not have that layer involved if i can help it, one more thing that might not work)
0
Comment
Question by:CASorter
  • 10
  • 6
  • 5
  • +1
22 Comments
 
LVL 36

Accepted Solution

by:
Gary Patterson earned 1600 total points
ID: 36919485
There are lots of mechanisms that you can use to move a stream file from the AS/400 to a Windows folder or share.  Here are three of the most popular:

Push via QNTC

Configure QNTC, and use the AS/400 CPY or MOV command to push the file from the AS/400 to the target machine.  If the target Windows share allows Everyone Write rights, then no special provisions for security are required.  This isn't very secure, however.  Another alternative in most environments is to create Windows user and password specifically for the file transfer process, and make sure it has the proper rights to the Windows share.  Then create a matching AS/400 User ID and password (exact same name and password).  Make sure the MOV command runs under the new AS/400 profile, and it will automatically authenticate using the matching Windows user ID and password.  For your requirements, this is a very good solution.

ftp://ftp.boulder.ibm.com/as400/web/netserver/common/v5r2smb/QNTC_F03.pdf
http://www.itjungle.com/fhg/fhg031704-story04.html

Pull using Netserver

NetServer is an AS/400 service that allows Windows clients to browse and access the AS/400 IFS, just like a Windows file server.  (The opposite of QNTC.)   Some shops find this an easier "sell" than configuring QNTC.  Create an AS/400 share, allow anonymous access (or authenticated access), and use a Windows script to copy or move the file from the AS/400 share to a Windows share.  The same basic "matching profiles" rules apply:  the Windows client will automatically try to authenticate to the AS/400 using the Windows user and password.  IF a matching AS/400 profile and password exist, then access is granted to any objects that AS/400 profile can access.  It is also possible to use the Windows NET USE command to map a drive to an AS/400 folder using any AS/400 credentials desired, though this means that the script that creates the share has to have credentials embedded in it.

Push or Pull using FTP

The AS/400 has an FTP client and an FTP server.  Windows does too.  This means that you can push or pull files in either direction between the AS/400 and Windows, once the server is installed and started on one or the other.  This allows you to script FTP sessions originating from either the AS/400 or Windows.  SFTP and FTPS are also possible, though they take some additional configuration.

- Gary Patterson
0
 

Author Comment

by:CASorter
ID: 36920666
thanks!   the reason that they didnt want to do option A (my preference) was that they said the destination windows box had to be on the same domain as the as400.

due to the need for remote access to the windows box and restrictions on remote access if a computer is part of the domain, the destination box is part of a workgroup of computers.  

can an as400 be or is an as400 on a windows network?

is it required that the as400 and the windows box be on the same network in order for qntc to work?



we are currently doing a modified option be, where we map a drive to the as400 and process the files directly from there. (we dont actually pull it across)  this is proving to take to long, which is why we are trying to get the files placed on the windows side.


0
 
LVL 36

Expert Comment

by:Gary Patterson
ID: 36920945
I don't think that I've ever set up QNTC between systems on different Windows domains, but I can't see why not.  You won't see the list of servers and shares when you browse from QNTC (from WRKLNK), but you should still be able to add a link to the system by name or IP address.  The AS/400 will still need rights to the Windows share: either "Everyone" rights or a Windows profile with rights to the share that matches an AS/400 profile name and password, character for character.

An AS/400 can be part of a Windows network.  Specifically, it can share folders and printer using Windows protocols (CIFS - this is called NetServer), and it can access shares on Windows machines using the QNTC file system.  The AS/400 can also be configured to use Windows-based Kerberos authentication for certain functions.  The AS/400 can also access Windows printer shares using the LPR/LPD protocol when Windows File and Print Services for Unix is installed on a Windows system that publishes printer shares.

The AS/400 and the Windows systems do not need to be on the same network, but, of course, a network path between the two systems must exist, and the appropriate ports need to be open if the connections are firewalled.

- Gary Patterson
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 27

Assisted Solution

by:tliotta
tliotta earned 300 total points
ID: 36926569
If you are only needing to communicate with workgroup PCs, you should be able to create a local user/password on the target PC and a matching user profile and password on the AS/400. A job running under that profile on the AS/400 should be able to use the IP address of the PC to create (mount) a directory over a network shared folder from that PC.

On the AS/400, the command is like:

== > CRTDIR  '/QNTC/pc.ip.address'

IP address isn't technically required; the PC name would be preferred. But using IP address avoids requirements of other configuration elements. This is simply going straight at the issue.

Once the mount for that PC becomes established, the shares should be visible below that path.

The AS/400 job can be running directly as the required user or it might use programming to switch credentials to that user while doing the needed work.

Gary mentioned alternatives such as Kerberos. Certainly, getting the whole network configured for authenticated interaction would be best in the long run. Still, it's sometimes necessary to create specific paths.

Various possible firewall obstacles can always interfere, so check at each point along a route when problems arise.

By creating users, the passwords should be as safe as passwords can be -- never exposed in plaintext at least. The created users should have authorities that only allow the needed access at both ends. Password expiry for the users on both ends should also be watched.

Tom
0
 

Author Comment

by:CASorter
ID: 36926666
so you guys are saying that we should be able to create the  directory to a computer in a workgroup (as long as the share on the windows machine has everyone access) from the as400, which is part of a secured domain.


simply by doing the ctrdir  command...

can you think of why they might say that being on the same domain was a requirement?

0
 
LVL 27

Expert Comment

by:tliotta
ID: 36927506
simply by doing...

...and ensuring matching user/password on both ends and running under that profile on the AS/400 (when going outward via /QNTC) and ensuring all "firewalls" (including Windows builtin or Zone Alarm or whatever) allow conversations between the two systems... i.e., do the manual stuff that is outside of overall networking configuration.

It's easy enough to test manually. Once the users exist on both systems, log on to the AS/400 as that user, run CRTDIR to mount the share, and drill into the share with the WRKLNK command. The user will either be able to see the files or won't.

Naturally, if an IP address is non-routable and the route crosses a router that drops the transaction, or if any similar circumstance gets in the way, additional steps would be needed. Anything going across some unknown network environment is always subject to trouble.

Without more info about the end-to-end route, I can't guess what might be an issue in their case. I manage to get cross-domain transactions working, but it's "Windows". You never know what tweaks might be needed.

Tom
0
 
LVL 36

Expert Comment

by:Gary Patterson
ID: 36927795
I don't know of any reason that "same domain" is a requirement.  Here is the possible source of confusion:

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=%2Fifs%2Frzaaxntmkdir.htm

- Gary Patterson

0
 
LVL 27

Expert Comment

by:tliotta
ID: 36927932
BTW, what Windows OS is on the PC? What OS version is on the AS/400?

And Windows fix packs and AS/400 PTFs to match can make big differences, as can exit programs on AS/400 network exit points.

Tom
0
 

Author Comment

by:CASorter
ID: 36932044
part of the issue is that i dont have any access at all to the as400.

the as400 programmer i am dealing with has to go through the corporate IT network bureaucracy.  i dont think he has any experience with qntc and is thoruoghly caught in the middle.  

me asking to do this on one side,  and his network people saying cant be done on the other side.

i will see what i can do.

windows server 2008 r2 (64 bit) is the windows side, i dont know what the as400 is.


0
 

Author Comment

by:CASorter
ID: 36932051
when i say no access,   i mean    i cant enter any commands... i do have access to the folder on teh as400 that we are currently processing the file in.

0
 
LVL 27

Expert Comment

by:tliotta
ID: 36933238
i do have access to the folder on teh as400...

What interface is used for that access?

So, you personally have a way to access a folder on the AS/400. But there is a particular PC in the client's network that needs automated access to that same folder. It doesn't matter much if the PC has read/write access to the folder or if the AS/400 pushes content from that folder to the PC, as long as an automated process on the PC can work with data in that folder.

The NetServer configuration on the AS/400 has domain DDDD set. The PC is configured for a workgroup WWW. Because the workgroup does not match the configured NetServer domain, the expectation is that there is no Windows networking connectivity available between the AS/400 and the PC.

Anything significant missing from that?

Tom
0
 

Author Comment

by:CASorter
ID: 36933347
back to the original problem...
i *can* run the import directly on the file on the as400..  it takes 2 hours
if i move it to the windows box..  it takes 40 minutes...  same import file, same executable.

i want to have it end up on the windows box.
 i *can* write batch files that pull the file over so the import program can run on it there, but i would rather have them put it there in the first place.  hence the intrest in QNTC and getting them to put it there to begin with
0
 

Author Comment

by:CASorter
ID: 36933404
and as to the 2nd part....
what  you have described is correct.
as/400 has domain DDDD
pc (which is server 2008 r2)  is in workgroup WWW

that much i understand and know to be true.
i am not sure what you mean concerning the next sentence.

 Because the workgroup does not match the configured NetServer domain, the expectation is that there is no Windows networking connectivity available between the AS/400 and the PC.

i think  Because the workgroup does not match the configured NetServer domain  is true.

but the expectation part... not sure..  
i DO have ability to read and write to the the folder on the AS/400   we are mapping a windows drive to the as400 IP address and folder  \\10.10.10.133\xfer
i have full read/write access to this as400 folder

which implies that there IS connectivity between the two...

which is why i am scratching my head so much concerning why their network team seems to think there is some domain level imcompatiblity.  i already can get to the folder one way,  seems like they could get to a folder on my box the other way.....
0
 
LVL 27

Expert Comment

by:tliotta
ID: 36934153
Stating things over again has helped keep focus. Thank you.

...but i would rather have them put it there in the first place.

And back at the beginning:

we have a client that is creating an import file on an AS-400.

So, the file is actually generated on the AS/400? I would normally expect (i.e., "import") this to be a .CSV file from a database, and this becomes an IMPORT file either into another database or something like Excel.

Due to Microsoft's ability to change Windows networking protocols/requirements with service packs, I can understand some reluctance on the part of the AS/400 guys. Some frustration can arise in getting a setup to work reliably and securely from a non-MS platform.

Is there any chance of installing/running MS's NFS on the PC? The AS/400 supports NFS as client and server. But if /QNTC is difficult to set up to reach this PC, NFS might seem an even greater challenge.

Tom
0
 

Author Comment

by:CASorter
ID: 36934174
correct.
the as400 is creating a CSV file
this file is being imported via a program running on the windows box.
the issue is where the as400 guys put the file.

on the as400 (slow importing or additional step to move it to the windows box)
or
on the windows box to begin with (fast running, no additional transfer step)


Some frustration can arise in getting a setup to work reliably and securely from a non-MS platform.
um... ya   :(

0
 
LVL 36

Assisted Solution

by:Gary Patterson
Gary Patterson earned 1600 total points
ID: 36936240
This should be very simple to test.  Set up an unsecured "everyone" share on the windows box. Let's say it is \\1.2.3.4\test. Put a file or two In the shared folder.

On the as400, have the 400 guy execute this:

Mkdir '/QNTC/1.2.3.4'

Then he can wrklink '/QNTC/1.2.3.4'

If all the connectivity s good, he should see the Test share and be able to browse it using option 5.

If it doesn't work then there is some detective work needed.

0
 

Author Comment

by:CASorter
ID: 36949021
does qntc need to be installed on the as400 or is it port of the normal setup
0
 

Author Comment

by:CASorter
ID: 36949025
*part of the normal setup
0
 
LVL 36

Expert Comment

by:Gary Patterson
ID: 36949366
AFAIK, the file system QNTC is a core OS component.  Make sure Netserver is started before using QNTC.

- Gary Patterson
0
 
LVL 36

Expert Comment

by:Gary Patterson
ID: 36949405
Also make sure your share names are less than 12 characters long.
0
 
LVL 14

Assisted Solution

by:daveslater
daveslater earned 100 total points
ID: 36962954
hi
I have just set up QNTC on our system in V5.4

if you are on V5.4 then check the environment values
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Fifs%2Frzaaxqntcvariables.htm

You may also want to check
http://www-01.ibm.com/support/docview.wss?uid=nas17d5a24100f2671648625756a006353a1
for security troubleshooting

you setup the server via iSeries navigatior.
It is under Network/Servers/TCPIP.
the domanin can be a domian or a workgroup.

If you are trying to access a 2008 server then the PTF's must be up to date.

To test I did the following:
I set up a local Windows profile (it is just easier) with the corresponding AS/400 Password. the PC profile was set as administrator and the AS/400 a pgmr
created the link via MKDIR via an IP address
used CD to check to the directory
and drilled down to the documents


the PTF's were the big thing for our site and once they were up-to-date then it just worked as yuo would expect on the AS/400.

Note the other option is to simply FTP the file from the AS/400 to the pc / server.

Dave
0
 

Author Comment

by:CASorter
ID: 36963583
thanks all.

i dont think the problem has boiled down to a technical one, rather a bureaucratic one.

i think we have supplied them with the tools to accomplish this, it is a matter of them wanting to do it.  


in the meantime i have done the batch files on my side that accomplish the same thing.

thanks for your correspondance!

0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Currently, there is an issue with being able to copy values from an external application to a dropdown list in Project Web Access (PWA).  The standard copy and paste methods don't seem to work properly. Here is a way to accomplish this task to s…
Tech giants such as Amazon and Google have sold Alexa and Echo to such an extent that they have become household names. And soon they are expected to be used by commoners in their homes, ordering takeout, picking out a song, answering trivia questio…
Integration Management Part 2
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month15 days, 12 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question